We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Advice and guidance

Cyber security: advisory

Published
9 September 2021
Directorate
Digital Directorate
Part of
Business, industry and innovation, Economy

Find out about the DDaT job roles that comprise the cyber security advisory family practice.

This document is part of a collection

Cyber Security Risk Manager

Role summary

The Cyber Security Risk Manager identifies, understands and mitigates cyber-related risks. They provide risk or service owners with advice to help them make well informed risk based decisions.

Role levels are:

Entry route

Internal: Suitable for an individual from a role within the Government Security Profession or Digital, Data and Technology Profession or those with a clear interest and aptitude for technology and security risk management

External: Suitable for an individual who has worked in a Cyber Security risk management role in industry. More junior roles will be suitable for those with a clear interest and aptitude for technology and security risk management

Skills required to be a cyber security risk manager

Information risk assessment and risk management. Information risk assessment and risk management identifies and evaluates security risks to information, systems, and processes owned by the organisation, and proactively provides appropriate advice, drawing on a wide variety of sources, to stakeholders across the organisation and at a variety of levels.

Applied security capability. Applied security capability is formed of a set of complementary security skills. Individual roles may have a requirement for a different profile across these skills. Applied security capability involves 4 elements:

  1. Security requirement elicitation: gathering and deriving meaningful security requirements to support an identified need
  2. Application of security capabilities: apply standardised or unique security capabilities to address security needs
  3. Provision or assurance and confidence: provide confidence that business priorities are appropriately protected
  4. Security and risk reporting: communicate security and risk effectively

Protective security. Protective security encompasses the combination and multi-layering of appropriate and proportionate Physical, Personnel and Cyber Security measures to help identify and respond to any attack. Security requirements will change accordingly with the locally identified threats and vulnerabilities.

Threat understanding. Threat understanding encompasses evidence-based knowledge, including context, about an existing or emerging threat to assets that can be used to inform decisions.

Cyber security risk manager associate

Typical role level expectations

  • Work within established security and risk management governance structures, usually under supervision to support, review and undertake straightforward risk management activities such as:
    • helping with the analysis and derivation of business-supporting security needs
    • undertaking Cyber Security related risk assessments, basic threat assessments and other risk management activities
  • Have an understanding of the applicability of appropriate legislation and regulations
  • Provide advice to address identified Cyber Security related risks by applying of a variety of security capabilities, which may include using published guidance, standards or experts as appropriate
    • The scenarios will be straightforward, and the advice given will be proportionate and contextualised to the use case
  • Provide straightforward advice to validate the effectiveness of risk mitigation measures, including an understanding of how to use different assurance activities (such as a pen test) and make recommendations for improvement
  • Help risk or service owners to make decisions that are well informed by good and clear security advice, including contributing to reports or working within established reporting chains in a security team

Skills needed for this role

  • Information risk assessment and risk management (Relevant skill level: practitioner). At this level you:
    • Understand the organisation’s business drivers and approach to managing risk to support delivery of balanced and cost-effective risk management decisions on situations with a relatively well-defined scope. Relates risk to corporate governance, organisational strategic direction and planning
    • Deliver or review risk assessments using appropriate risk assessment methods for common scenarios such as enterprise IT systems
    • Inspect and report on the security characteristics of systems with straightforward scope
    • Have a good understanding of how assessed risks are addressed as part of an approach to risk treatment
  • Applied security capability (Relevant skill level: practitioner). At this level you:
    • Elicit security requirements based on straightforward approaches such as threat/vulnerability/impact analysis. Security needs will include an understanding of the user as part of the overall system
    • Help organisations to derive and reason about their security needs, such as understanding and applying security principles to particular business scenarios
    • Interpret and clarify management or organisational intention with regards to security, such as described in risk appetite statements. This includes interpreting such statements into meaningful and appropriate security requirements
    • Provide security advice to non-standard use cases, drawing on and using experts in specific topics or technologies
    • Use standardised control frameworks (such as 27001/2) appropriately, with awareness of their strengths and limitations
    • Understand when security measures might impact on users or business needs and provides effective advice to help the business make an appropriate decision
    • Apply a range of assurance approaches, with a clear understanding of the strengths and limitations of each approach. There is a clear ability to map the assurance options recommended directly to the security need to be addressed
    • Assurance and confidence is not limited to a point in time, but seeks to address confidence across the system/service life cycle
    • Provide meaningful security and risk communication in a range of scenarios. Understands and takes account of the limitations of various risk communication mechanisms such qualitative v quantitative approaches
  • Protective security (Relevant skill level: working). At this level you:
    • Apply concepts of protective security within the context of the other specialisms/enablers, and keeps knowledge up to date
    • Champion protective security within the wider security function, providing advice to others
  • Threat understanding (Relevant skill level: working). At this level you:
    • Interpret sources of threat information for the local environment and applies knowledge of the external environment
    • Maintain understanding of local and strategic threat environments, and trends affecting the landscape, and can apply to inform and provide context
    • Use local and strategic threat information in decision-making and planning
    • Communicate tailored threat information to relevant local stakeholders within the organisation

Cyber security risk manager lead

Typical role level expectations

  • Independently undertake risk management activities within a given area of practice or expertise, usually within established security and risk management governance structures
  • Lead the analysis and derivation of business-supporting security needs, undertake Cyber Security related risk assessments, conduct tailored threat assessment and other risk management activities, and ensure activities are consistent with applicable regulations and legislation
  • Provide tailored advice to a range of stakeholders on how to remedy identified risks by proportionately applying security capabilities, using published guidance, standards, and drawing on a range of experts as well as personal expertise
  • Provide expert security advice that highlights Cyber Security related risks, so risk or service owners can make well-informed and auditable decisions

Skills needed for this role:

  • Information risk assessment and risk management (Relevant skill level: practitioner). At this level you:

    • Understand the organisation’s business drivers and approach to managing risk to support delivery of balanced and cost-effective risk management decisions on situations with a relatively well-defined scope. Relates risk to corporate governance, organisational strategic direction and planning
    • Deliver or review risk assessments using appropriate risk assessment methods for common scenarios such as enterprise IT systems
    • Inspect and report on the security characteristics of systems with straightforward scope
    • Have a good understanding of how assessed risks are addressed as part of an approach to risk treatment
  • Applied security capability (Relevant skill level: practitioner). At this level you:
    • Elicit security requirements based on straightforward approaches such as threat/vulnerability/impact analysis. Security needs will include an understanding of the user as part of the overall system
    • Help organisations to derive and reason about their security needs, such as understanding and applying security principles to particular business scenarios
    • Interpret and clarify management or organisational intention with regards to security, such as described in risk appetite statements. This includes interpreting such statements into meaningful and appropriate security requirements
    • Provide security advice to non-standard use cases, drawing on and using experts in specific topics or technologies
    • Use standardised control frameworks (such as 27001/2) appropriately, with awareness of their strengths and limitations
    • Understand when security measures might impact on users or business needs and provides effective advice to help the business make an appropriate decision
    • Apply a range of assurance approaches, with a clear understanding of the strengths and limitations of each approach. There is a clear ability to map the assurance options recommended directly to the security need to be addressed
    • Assurance and confidence is not limited to a point in time, but seeks to address confidence across the system/service life cycle
    • Provide meaningful security and risk communication in a range of scenarios. Understands and takes account of the limitations of various risk communication mechanisms such qualitative v quantitative approaches
  • Protective security (Relevant skill level: practitioner). At this level you:
    • Develop and applies new concepts in protective security, involving the other specialisms, including the Corporate Enablers
    • Develop individuals and contribute to the development of protective security practices
    • Promote protective security as a business enabler throughout the organisation
    • Engage with the UK security community
  • Threat understanding (Relevant skill level: practitioner). At this level you:
    • Proactively identify, interprets and leverages a range of relevant sources of threat information, using a variety of techniques, to understand the threat environment (local and strategic), including its nature, capability, focuses of interest and other factors associated with relevant threats
    • Use lessons learned to maintain an understanding of the organisation’s attack surface, and uses local and strategic threat information in decision-making and planning
    • Communicate tailored threat information to relevant senior stakeholders across multiple sites and/or business functions
    • Combine external threat information, organisational context and situational awareness to provide a holistic threat understanding capability

Cyber security risk manager principal

Typical role level expectations

  • Lead and undertake risk management activities against the hardest or most novel scenarios, while applying the fundamental principles of risk management to a range of complex scenarios, and lead regulatory or legislative compliance activities
  • Guide and direct specialist activities of others, actively promoting development in the applicable skills, providing leadership to other risk managers, and sharing best practice widely across government, the public sector, and industry
  • Lead the analysis and derivation of complex security needs
  • Lead Cyber Security related risk assessments and other expert risk management activities, including providing guidance on establishing the organisation’s Cyber Security related governance arrangements
  • Provide guidance to ensure ongoing confidence that fundamental organisational security needs have been met, including integrating a range of assurance approaches and techniques to give continued confidence to the risk, service or system owner
  • Shape leadership decision-making through:
    • effective reporting and communication regarding the effectiveness of security processes across an organisation
    • providing recommendations to highly complex problems
    • acting as an SME for complex cyber risk management concerns, issues and problems

Skills needed for this role

  • Information risk assessment and risk management (Relevant skill level: expert). At this level you:
    • Enable the organisation to deliver balanced and cost-effective risk management decisions on situations with complex scope or significant risk. Ensures that risk is embedded into corporate governance processes
    • Integrate risk management processes into appropriate business activities such as system development, security architecture or procurement
    • Develop approaches to effectively report risk (including through system life cycles) to management who are responsible for risk to a given system or capability. This includes the ability to interpret management risk direction to others (such as developers or other security professionals)
    • Deliver comprehensive risk assessments for complicated or novel scenarios, using methodologies appropriate to the situation. Understands in detail how the risk assessment output dovetails into the risk management process
    • Determine and understand the security characteristics of complicated or novel systems
  • Applied security capability (Relevant skill level: practitioner). At this level you:
    • Elicit security requirements based on straightforward approaches such as threat/vulnerability/impact analysis. Security needs will include an understanding of the user as part of the overall system
    • Help organisations to derive and reason about their security needs, such as understanding and applying security principles to particular business scenarios
    • Interpret and clarify management or organisational intention with regards to security, such as described in risk appetite statements. This includes interpreting such statements into meaningful and appropriate security requirements
    • Provide security advice to non-standard use cases, drawing on and using experts in specific topics or technologies
    • Use standardised control frameworks (such as 27001/2) appropriately, with awareness of their strengths and limitations
    • Understand when security measures might impact on users or business needs and provides effective advice to help the business make an appropriate decision
    • Apply a range of assurance approaches, with a clear understanding of the strengths and limitations of each approach. There is a clear ability to map the assurance options recommended directly to the security need to be addressed
    • Assurance and confidence is not limited to a point in time, but seeks to address confidence across the system/service life cycle
    • Provide meaningful security and risk communication in a range of scenarios. Understands and takes account of the limitations of various risk
  • Protective security (Relevant skill level: expert). At this level you:
    • Lead innovation in protective security, taking into account other specialisms/enablers and business drivers
    • Promote the development of individuals against the career framework
    • Promote the use of protective security as a business enabler at board or senior management level
    • Are an active member of the UK security community
  • Threat understanding (Relevant skill level: practitioner). At this level you:
    • Proactively identify, interprets and leverages a range of relevant sources of threat information, using a variety of techniques, to understand the threat environment (local and strategic), including its nature, capability, focuses of interest and other factors associated with relevant threats
    • Use lessons learned to maintain an understanding of the organisation’s attack surface, and uses local and strategic threat information in decision-making and planning
    • Communicate tailored threat information to relevant senior stakeholders across multiple sites and/or business functions
    • Combine external threat information, organisational context and situational awareness to provide a holistic threat understanding capability

 

 

Contact

ddat@gov.scot

Back to top